Sunday, May 11, 2014

ASA ikev2 VPN s-2-s (PKI) - part two

I’d like to continue the ikev2 topic (ASA ikev2 VPN s-2-s (PKI) -
part one) and introduce new features which allow me to achieve the same
result. I strongly recommend to read the previous post first to have a
clear picture what I’m going to do. I will work on the same network
diagram.

There is one global parameter which we can use to control the traffic in another way:

sysopt connection permit-ipsec

By default the command is active what means that ASA permits all
traffic inside the VPN tunnel. You don’t need any access list to specify
what is sent inside the tunnel. When you disable this feature “no
sysopt connection permit-ipsec”, ASA requires access-list for all
traffic which you want to send over the tunnel. Let’s disable the
feature on both ASAs: